So let’s try to understand where I’m doing wrong.
I’m using
Which shows my DNS is OK.
Also I like to showmain page with my ISP info.
I’m showing this, as host name isn’t same as my DNS host name.
In addition my iPfire installation has a different host name.
So the term host name can be a bit confusing.
However FQDN ought to be clear. It can be your host name, but it can also be something else. In my case I expect “iPfire-test.ddns.net” to be my only FQDN.
Next, there is 3 steps to be done:
- Create a global setting
- Generate a certificate
- Create a connection
So, step one in my case look like this.
I’m not sure about the RoadWarrior setting, as the subnet isn’t part of my subnet locally. So 192.168.20.0/24 may working and may not. I don’t know. The zero before 24 is the number I rather change to 1, in order to comply with my local network. However my understanding from previous answers in this tread is it doesn’t matter, as this is just to assign an ip to the remote host. (My iPad).
Next is certificate:
Appart from the first required filed which can be anything, the next two required fields has been assigned the FQDN. Is this correct ?
It’s very clear to me that the host name has to equal the FQDN.
The explanation under Subject Alternative Name is very confusing to me. It’s a requirement, but it says IF you have (then conditions), you CAN implement them here, like if I don’t have, leave blank. Also the choices is so many.
This must be better explained in Wiki.
Last is connection.
Wiki is here:
And it’s not helpful at all. And latest editing did it even worse.
Adding name is easy. Call it what ever you like.
Local and Remote ID isn’t required. So I leave blank. But I think it’s not correct, as somewhere else the wiki says it’s a requirement and I don’t understand those requirements transferred to my example.
Local ID must be set to the IPFire’s FQDN prefixed by an “@” sign. Remote ID must be the system’s hostname prefixed by an “@” sign and the hostname must also be added to the certificate as “Subject Alternative Name” prefixed with “DNS:”.
I will test with FQDN on local ID after. @ipfire-test.ddns.net ought to be the correct setting. My iPfire host name I’m not 100% sure about. I do expect my iPfire host name to comply with what I actually have named my installation, but my understanding from @jon is that I’m wrong in this case.
As suggest before, it ought to to be equal to what’s visible using this setting:
But my understanding is I’m wrong.
Local subnet may be 0.0.0.0/0, but can also be something else. My picture shows what iPfire suggested. I don’t to my knowledge have this subnet.
192.168.20.0
I have
192.168.20.1
DNS servers (in plural?) is hopefully my local 192.168.20.1. I don’t know.
Further there is a authentication to be filled in.
I assume name and organization name can be anything. And those are the two required fields (apart from PW).
I think however SubjectAlternativeName(subjectAltName=email:,URI:,DNS:,RID:) must be filled in.
I’m confused what to fill in. I think DNS:”your FQDN”. That will at least comply with what I did when using same field (well same name) in creating the certificate.
It was said before to equal the remote ID, but that field is now blank.
@ms says it’s working for him. But can you either show what’s working or tell me what I’m doing wrong ?
I’m now been taking to the advanced section.
Here the wiki has been updated, but it’s unclear to me if the suggested choices is the only one to select, or of I can add several more.
I’m using lates iOS 14.7
First question is if IKE and ESP settings shall be equal.
Next, the wiki doesn’t say which of possible 3 drop down selections to edit. And what is written in wiki isn’t shown at all as an option.
But one can guess.
- iOS 14: AES-GCM-256-128 / SHA2-256 / MODP-2048
Is probably here under encryption:
So question is, should I remove all default selections, and only select the 3 wiki says ?
I’m trying this for now.
So it’s looking like this and I’m ready for import to my iPad.
But it’s not working. So where to start and make corrections ?
Edit:
There is one error here for sure.
“ The hostname in the certificate has to match for MacOS and iOS to accept the certificate”
But I don’t fully understand that sentence.
We have host certificate and root certificate and then whatever shall be matched in iOS.